Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
0
Helpful
4
Replies

10 devices on ACS, 20 users mapped from windows. How to specify access?

guibarati
Level 4
Level 4

‎01-05-2009 05:00 AM - edited ‎03-10-2019 04:15 PM

I have 10 devices and I want the administrative access to be authenticated agaist an ACS.

There are 20 users who will be allowed to authenticate on them, but they must have different access like:

User A access -> 1,5,8,9

User B access -> 8,9,10

And so on.

I've tried to use NAR to say wich user have access to wich device, but this way I must create a windows group for each combination of user device access wich is extremaly huge for 10 devices.

I would need one group for who can access device 1,5,8. Other for 4,8,9 and so on. Besides that for each change I would need creating a new group.

The total number of combinations is more then 3,600,00 for 10 devices.

Labels:
0 Helpful
4 Replies 4

jhillend
Level 1
Level 1

‎01-05-2009 12:14 PM

If you were to create a user group for each NAR combination you would need (2^10)-1 groups, or 1023 user groups. Still a big number and more than twice the number of available user groups in ACS. In this case you are better off configuring the NAR capability in each individual user configuration.

To explain the above number, the following list will explain:

devs | grps

3 7

4 15

5 31

For 3 devices, a, b and c, the combinations are: abc, ab, ac, bc, a, b, c (= 7)

For 5 devices, a, b, c, d and e, the combinations are: abcde, abcd, abce, abde, acde, bcde, abc, abd, abe, acd, ace, ade, bcd, bce, bde, cde, ab, ac, ad, ae, bc, bd, be, cd, ce, de, a, b, c, d and e (= 31)

and so on.

0 Helpful

guibarati
Level 4
Level 4
In response to jhillend

‎01-05-2009 12:28 PM

Ok, I had misused the 10! instead of 2^10-1, but that is not the point, the point is there would be necessary too many groups and you cach that.

So you sugested using user lever NAR, but can I use that for users in windows? Like mapping a individual windows user to an ACS user?

Or should I create local ACS database users to do that?

0 Helpful

jhillend
Level 1
Level 1
In response to guibarati

‎01-05-2009 01:21 PM

Ah, you didn't mention Windows. Well, if you only have 20 users, the most groups you would need are 20. Or, if you only have 20 users, I would suggest configuring the users directly on ACS and use Windows AD for authentication only. They keep their normal login, but you have control over them. I am assuming that these users are device administrators requiring access control to network devices through ACS.

0 Helpful

guibarati
Level 4
Level 4
In response to jhillend

‎01-06-2009 02:25 AM

Acctualy I mentioned on the title "mapped from windows" but I guess I should had said it in conversations body.

But my big problem is the growing number of users, so I would like a way to limit the access of users somehow that I don't need one group per access combination.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents